If you are a network administrator, you often must increase the basic security of your routers and switches. These configurations may go beyond enabling ssh support and configuring login banners, and there are many good practices and recommended actions you must follow while introducing new devices into your network.
In this article I will present a few configuration options which will help you implement security policies more efficiently and follow some Cisco recommendations along the way. Some of these will only work on Cisco switches and not routers, but I hope they all are worth learning and that they will contribute to making you a better Cisco administrator.
Here are the tips I would like to share with you today:
– Cisco Switch Interface “Range” Command
– User Privilege Levels
– Switch Macro Command
– Named ACL
– ‘Reload in’ Command
Cisco Switch Interface “Range” Command
One day your boss may ask you to introduce a new switch to the existing infrastructure. You do so and make sure this new device does not become a new ‘root bridge’ in your spanning-tree domain. You also sure that VTP protocol is not going to push wrong information about the existing VLANs and create mayhem in your network. After taking care of everything that your company’s policy stipulates, you read the last step in the procedure that you forgot was there:
XYZ Industry Inc.: Unused Switch Port Configuration.
- * Port VLAN ID: 999
- * Port Administrative Mode: Access
- * Port Description: UNUSED
- * Port Status: Shutdown
This task makes you scowl because you think you will need to do the same configuration many times (many ports will need it), but there is a method of implementing this configuration in one single action.! Instead of accessing each individual port of the switch, you can use ‘range’ command to access many of them simultaneously and apply required configuration on all of them only once.
However, in Cisco implementation of this command, there are a few tricky things you must be aware of.
Let’s assume that the switch ports that require configuration are: Fas0/1, Fas0/3, Fas0/5, Fas0/7.
Notice that the first three ports are consecutive ports (1, 2, and 3). If this is the case, Cisco IOS will use the following syntax:
interface range fas0/1 – 3.
This will result in accessing all three ports at the same time. In the command prompt you will see:
There are mandatory ‘spaces’ between the numbers and the dash “-“. If you miss a space there, you will only access one port.
Whatever commands you execute in the ‘interface range’ will be applied on all the ports you have referred to (here: 1 through ?). In our example, we also need to include ports Fas0/5 and Fas0/7 in the range but these are not consecutive ports. You must use a comma as a separator in such situation. Remember to include spaces between the ports and the comma. Let’s configure our unused ports according to the policy now:
In order to verify your configuration, type in: show running-config. You will see that all the ports in question have been configured as expected. Alternatively, you can use the following check:
User Privilege Levels
CCNAs are most often taught about two major CLI modes:
- User Exec Mode also known as level 1 (prompt: ‘>’)
- Privileged Exec Mode also known as level 15 (prompt: ‘#’)
The first one gives a user access to some basic monitoring commands (show), but does not allow them to see the running configuration, perform debugging or configure a device.
As presented in the above picture, users operating at level 1, cannot do much. All configurations and full diagnostics are reserved for users with privileged access (level 15), which we can enter using the ‘enable’ command.
However, there are other levels available between 1 and 15 that can allow users to access certain types of commands but not others. In order to use them, an administrator has to configure what is going to be available at these other access levels.
The best way to see how this might work is to create a fictitious problem and solve it. Our XYZ Industry Inc. is hiring a junior network administrator. Initially, the person will be able to enable and disable interfaces, but will not have full access to a device. Our new administrator’s username is going to be Joe.
The access level for Joe could be anything between 2 and 14. The higher the level, the more the user can do (it inherits lower level capabilities). Let’s tackle the problem using a few steps.
Firstly, let us define username Joe and assign him the password ‘0nlyJ03’ (without quotes) and the level 3 access. User Jane will have privileged level 15 access with password C1sc0.
R1(config)#username jane privilege 15 secret C1sc0 R1(config)#username joe privilege 3 secret 0nlyJ03
You must never forget to add a username with privilege access 15 if you plan on prompting for username and password.
Next, we should specify what level 3 users can do with the interfaces. Do not forget to give the user access to ‘configure terminal’ command which allows them to enter the interface context.
R1(config)#privilege interface all level 3 shutdown R1(config)#privilege interface all level 3 no shutdown R1(config)#privilege configure level 3 interface R1(config)#privilege exec level 3 configure terminal R1(config)#
The last thing to do is to configure the console and/or line vty lines to prompt for the user:
R1(config)#line console 0 R1(config-line)#login local R1(config-line)# R1(config-line)#line vty 0 4 R1(config-line)#login local R1(config-line)#
It’s a good idea to check if this configuration works. We can do this by accessing the router’s CLI as presented below:
Clearly, Joe is at the right privilege level but should not be able to display running configuration of the router since we never gave him that privilege.
However, he is able to change the status of the router’s interfaces:
Notice that Joe can enter global configuration and interface context. He can shut the interface down (you granted him that), but he cannot assign an IP address on the interface.
There are better ways of granting users access to specific tasks such as using role-based CLI access or using AAA security but this is a topic for another article.
Another excellent mechanism available on Cisco switches is the SmartPort Macros. They are a very convenient way of saving and sharing configurations. An administrator can create some template configurations for the ports and apply them on the interfaces. The existing commands will not be removed (they could be overwritten if duplicated with another parameters), but they will be added instead. Also you should know that Cisco created a few templates for us in order to facilitate some common deployments (check the link below for details):
If the default templates do not meet our needs we can configure our own macros as well. My objective is to create a macro which does the following on the interfaces:
- * Macro Name: ACCESS_PORTS
- * STP Enhancement: Portfast
- * STP Protection: BPDU Guard Enabled
- * Security:
- * Port-Security,
- * Violation: Restrict,
- * Max MAC Addresess: to be provided by the user during the macro execution
- * VLAN ID: to be provided by the user during the macro execution
Here’s a solution to this problem:
Don’t forget to finish your macro with ‘@‘.
Now it is time to apply it on an interface (or range of interfaces). I will apply this on interface fas0/4 of my switch.
SW1(config)#interface fas0/4 SW1(config-if)#macro apply ACCESS_PORTS VLANID 99 MAXHOSTS 2
If I display the running configuration of the interface, I can verify that macro has worked like a charm.
Access Control Lists have been out there for ages. With the IOS 12.3 version Cisco introduced, they address the issues with awkward ways of modifying numbered access lists.
Let us see how the old way worked first, and then apply named ACLs to see the difference in the speed of operation as well as convenience of using the latter solution.
Initially, my numbered ACL will block incoming Telnet traffic, but will allow everything else. I will apply it on Fas0/0 interface.
Here are the ACL statements:
R1(config)#access-list 100 deny tcp any any eq telnet R1(config)#access-list 100 permit ip any any R1(config)#
Statements must be applied on the appropriate interface:
R1(config)#interface fas0/0 R1(config-if)#ip access-group 100 in R1(config-if)#
Now imagine you must add the line which is going to block incoming ICMP echo messages.. You can’t just add this line into the existing ACL since it is going to be added after the last line which permits all other IP traffic. This way ICMP will never be blocked. Take a look:
So, how did we modify this ACL in the past? We used some text editor (notepad for instance) and we copied the existing ACL, then modified the statement to fit our needs. Then we removed the existing ACL (no acccess-list 100) and pasted the modified statements into global configuration mode.
If you still have numbered ACLs configured on your device, it is not a lost cause. I will show you a nice trick on how to modify the numbered ACL without using notepad. Before that, though, I will show you the benefits of using named ACLs first.
I am going to create another ACL called FILTER and go through the same process as with ACL 100.
The syntax is similar:
ip access-list [standard | extended] name
Take a look:
R1(config)#ip access-list extended FILTER R1(config-ext-nacl)#deny tcp any any eq telnet R1(config-ext-nacl)#permit ip any any R1(config-ext-nacl)#
The reference numbers that are placed next to the statements will allow us to squeeze lines between other lines:
Let’s modify current statements by adding the deny ICMP echo statement above the last one so that it can take effect:
R1(config)#ip access-list ext FILTER R1(config-ext-nacl)#15 deny icmp any any echo R1(config-ext-nacl)#
This way we can add statements without removing ACL from a router.
Removing statements is just as easy. If you wanted to remove line 15 you would need to enter the context of ACL and simply type in:
R1(config)#ip access-list ext FILTER R1(config-ext-nacl)#no 15
In case you run out of the available ‘room’ you can also re-sequence the ACL numbers as shown below:
R1(config)#ip access-list resequence FILTER 10 20 R1(config)#
This will change all the statement reference numbers starting at 10 with increments of 20.
Check it out:
Of course, you would need to apply the named ACL in the same way you have done with number one:
interface fas0/0 ip access-group FILTER in
Now let me show you a nice trick with the numbered ACL. As long as your IOS version supports named ACLs, you can refer to the numbered ones as if they are named.
Remember our old good access-list 100? It looks like this:
Extended IP access list 100 10 deny tcp any any eq telnet 20 permit ip any any 30 deny icmp any any echo
The order of statements is incorrect. The last entry should either be at the top or placed as a second line in the ACL. Here’s how easy it is to modify it using name ACL syntax:
R1(config)#ip access-list extended 100 R1(config-ext-nacl)#no 30 R1(config-ext-nacl)#15 deny icmp any any echo R1(config-ext-nacl)#
The result should be satisfactory:
All other mechanisms such as re-sequencing work here as well.
‘Reload in’ Command
The last tip in this article is sometimes referred to as a ‘life saver’. Imagine that you must implement ACL on a router that is in some distant location. Perhaps it works in a different town and if you make a mistake while applying ACL, you can terminate your own connection (you are applying ACL on the very interface you are using to access the router). What would you do then? The answer is to ask somebody at that location to reload the router for you in case you terminate your connection. This way, all the configuration you have applied will be removed since you have never saved it in NVRAM.
What if there is nobody there to assist you?
A better way of doing it is to use the command ‘reload in’. Here’s an example of how you would use it. You have created ACL and saved it using ‘wr’ (remember this is your older copy run start). Then before you use ‘ip access-group’ command to apply it on the interface, you type the following in the privileged mode:
R1#reload in 10
The router is going to ask you to confirm this. If you hit ‘Enter,’ your router will reload itself in exactly 10 minutes (give yourself as much time as you need). You can check the time left using: ‘show reload’ command. If, after you have applied ACL on the interface, you are still connected (you did not cut yourself off after all), you can cancel that reload by typing in:
R1#reload cancel R1#
*** — SHUTDOWN ABORTED —
Your router informs you that the shutdown has been aborted.